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Amendments to the Claims 

Listing of Claims 

1. (Original) A method for handling digital data packets at a logical borderline that separates an 
untrusted packet-switched information network from a protected domain, comprising the steps 
of: 

- intercepting, at a packet processor part, a packet that is in transit between the untrusted packet- 
switched information network and the protected domain, 

- examining the packet at the packet processor part in order to determine, whether the packet 
contains digital data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, redirecting the 
packet to an application gateway part and processing the packet at the application gateway part 
according to a set of processing rules based on obedience to said certain protocol; 

wherein the packet processor part is a kernel mode process running in a computer device and the 
application gateway part is a user mode process running in a computer device. 
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2. (Original) A method according to claim 1, comprising the steps of: 

- regarding a packet that is redirected from the packet processor part to the application gateway 
part: 

- replacing an original value of a certain destination information field within the packet 
with a replacement value that identifies the application gateway part as the destination of 
the packet, 

- indicating from the packet processor part to the application gateway part the original 
value of the destination information field found in the packet at the moment of 
intercepting the packet at the packet processor part and 

- using the indicated original value of the destination information field at the application 
gateway part in processing the packet. 

3. (Original) A method according to claim 2, comprising additionally the steps of: 

- replacing an original value of a certain source information field within the packet with a 
replacement value that identifies the packet processor part as the source of the packet, 

- indicating from the packet processor part to the application gateway part the original value of 
the source information field found in the packet at the moment of intercepting the packet at the 
packet processor part and 

- using the indicated original value of the source information field at the application gateway part 
in processing the packet. 

4. (Original) A method according to claim 2 or 3, wherein steps of indicating the original values 
of certain fields comprise transmitting the original values of such fields from the packet 
processor part to the application gateway part together with the redirected packet, said certain 
fields including at least one of a source field and a destination field. 
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5. (Original) A method according to claim 4, comprising the steps of: 

- at the packet processor part: 

- setting the value of a certain bit in the packet to indicate the presence of urgent 
information within the packet, 

- inserting into a pointer field in the packet a pointer value that points at the end of urgent 
information within the packet, and 

- inserting the original values of said certain fields as urgent information into the packet 
immediately before the location pointed at by the pointer value; and 

- at the application gateway part: 

- reading the original values of said certain fields from the location in the packet pointed 
at by the pointer value. 

6. (Original) A method according to claim 4, comprising the steps of: 

- at the packet processor part: 

- setting the value of an options field in the packet to indicate the presence of optional 
information within the packet, and 

- inserting the original values of said certain fields into the packet as optional 
information; and 

- at the application gateway part: 

- reading the original values of said certain fields from the packet as optional information. 

7. (Currently Amended) A method according to claim 2 or 3, wherein steps of indicating the 
original values of certain fields comprise transmitting the original values of such fields from the 
packet processor part to the application gateway part separately from the redirected packet, said 
certain fields including at least one of a source field and a destination field. 
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8. (Original) A method according to claim 7, comprising the steps of: 

- at the packet processor part: 

- composing a messaging packet that conforms to a messaging protocol, and inserting the 
original values of said certain fields into the messaging packet together with the 
replacement values, and 

- transmitting the messaging packet to the application gateway part; and 

- at the application gateway part: 

- receiving the messaging packet, and 

- associating the original values of said certain fields read from the messaging packet with 
the replacement values found in the redirected packet. 

9. (Original) A method according to claim 8, wherein the messaging packet is a User Datagram 
Protocol packet. 

10. (Original) A method according to claim 8, wherein the step of transmitting the messaging 
packet to the application gateway part is performed more than once in order to transmit several 
redundant copies of the messaging packet to the application gateway part. 

11. (Original) A method according to claim 7, wherein the packet processor part transmits the 
original values of said certain fields from the packet processor part to the application gateway 
part spontaneously. 

12. (Original) A method according to claim 7, comprising the step of transmitting from the 
application gateway part to the packet processor part a query for the original values of certain 
fields, so that the packet processor part only transmits the original values of said certain fields to 
the application gateway part as a response to said query. 
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13. (Original) A method according to claim 7, wherein the packet processor part transmits the 
original values of said certain fields from the packet processor part to the application gateway 
part spontaneously, and if the application gateway part has not received such spontaneously 
transmitted original values within a certain time limit after the reception of a packet for which 
such original values would be needed, the application gateway part transmits to the packet 
processor part a query for the original values of said certain fields, so that the packet processor 
part also transmits the original values of said certain fields to the application gateway part as a 
response to said query. 

14. (Original) A method according to claim 7, comprising the step of transmitting the original 
values of said certain fields from the packet processor part to an application gateway part running 
in the same computer device with the packet processor part through a communications routine 
that is internal to that computer device and relies on functions defined in an operating system of 
that computer device. 

15. (Original) A method according to claim 1, comprising the steps of: 

- regarding a packet that is redirected from the packet processor part to the application gateway 
part: 

- prepending a header to the packet at the packet processor part, the prepended header 
containing a value that identifies the application gateway part as the destination of the 
packet, 

- stripping the prepended header from the packet at the application gateway part and 

- using the original value of a destination information field in the packet at the application 
gateway part in processing the packet. 
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16. (Original) A method according to claim 15, wherein the prepended header also contains a 
value that identifies the packet processor part as the source of the packet. 

17. (Original) A method according to claim 1, comprising the steps of: 

- at the packet processor part: 

- enveloping an original packet to be redirected from the packet processor part to the 
application gateway part into an enveloping packet; and 

- at the application gateway part: 

- extracting the original packet from the enveloping packet. 

18. (Original) A method according to claim 17, wherein the enveloping packet is a packet 
according to the Socks protocol. 

19. (Original) A method according to claim 1, wherein the step of redirecting the packet to an 
application gateway part involves only transferring the packet to a logically separate entity within 
the same physical device where the packet processor part resides. 

20. (Original) A method according to claim 1, wherein the step of redirecting the packet to an 
application gateway part involves transferring the packet to a device that is physically separate 
from the device where the packet processor part resides. 
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21. (Currently Amended) A method according to claim 1, comprising,, [[-]] after the step of 
processing the packet at the application gateway part A [[-]] the further steps of: 

- returning the processed packet from the application gateway part to the packet processor part 
and 

- forwarding such a returned packet from the packet processor part towards an original 
destination that the packet had at the moment of it becoming intercepted. 

22. (Original) A method according to claim 21, comprising the steps of: 

- composing at the packet processor part a mapping function that associates a packet redirected to 
the application gateway part with an original value of a certain destination information field that 
said packet had at the moment of it becoming intercepted and 

- as a response to receiving a processed packet from the application gateway part to the packet 
processor part, using said mapping function to restore the original value of the destination 
information field in that processed packet. 

23. (Original) A method according to claim 22, wherein the mapping function also associates a 
packet redirected to the application gateway part with an original value of a certain source 
information field that said packet had at the moment of it becoming intercepted, and as a 
response to receiving a processed packet from the application gateway part to the packet 
processor part, said mapping function is also used to restore the original value of the source 
information field in that processed packet. 
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24. (Original) A method according to claim 21, comprising the steps of: 

- transmitting from the application gateway part to the packet processor part information that 
associates a processed packet returned from the application gateway part to the packet processor 
part with an original value of a certain destination information field that said processed packet 
had at the moment of it becoming intercepted and 

- as a response to receiving a processed packet from the application gateway part to the packet 
processor part, using said transmitted information to restore the original value of the destination 
information field in that processed packet. 

25. (Original) A method according to claim 24, comprising the steps of: 

- transmitting from the application gateway part to the packet processor part information that 
associates a processed packet returned from the application gateway part to the packet processor 
part with an original value of a certain source information field that said processed packet had at 
the moment of it becoming intercepted and 

- as a response to receiving a processed packet from the application gateway part to the packet 
processor part, using said transmitted information to restore the original value of the source 
information field in that processed packet. 

26. (Currently Amended) A method according to claim 1, comprising,, [[-]] after the step of 
processing the packet at the application gateway part A [[-]] the further step of: 

- forwarding such a processed packet from the application gateway part towards an original 
destination that the packet had at the moment of it becoming intercepted, without circulating the 
forwarded packet through the packet processor part. 
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27. (Original) A method according to claim 26, comprising the steps of: 

- transmitting from the packet processor part to the application gateway part information that 
associates each packet redirected from the packet processor part to the application gateway part 
with an original value of a certain destination information field that the redirected packet had at 
the moment of it becoming intercepted and 

- after a packet has been processed at the application gateway part, using said transmitted 
information to restore the original value of the destination information field in that packet. 

28. (Original) A method according to claim 27, comprising the steps of: 

- transmitting from the packet processor part to the application gateway part information that 
associates each packet redirected from the packet processor part to the application gateway part 
with an original value of a certain source information field that the redirected packet had at the 
moment of it becoming intercepted and 

- after a packet has been processed at the application gateway part, using said transmitted 
information to restore the original value of the source information field in that packet. 

29. (Original) A method according to claim 1, wherein packets are handled in packet streams, all 
packets of an individual packet stream having the same values in certain source and destination 
information fields of each packet, and wherein if the first intercepted packet of a certain packet 
stream is found to contain digital data that pertains to said certain protocol, that packet and all 
subsequent packets belonging to the same packet stream are redirected to the application gateway 
part and processed at the application gateway part according to the set of processing rules based 
on obedience to said certain protocol. 
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30. (Original) A method according to claim 29, comprising the steps of: 

- within the first packet and all subsequent packets of a certain packet stream that is found to 
contain digital data that pertains to said certain protocol, replacing an original value of a certain 
destination information field with a replacement value that identifies the application gateway part 
as the destination of the packets, thus enabling redirecting to the application gateway part, 

- indicating from the packet processor part to the application gateway part the original value of 
the destination information field found in the first redirected packet of a packet stream at the 
moment of intercepting the packet at the packet processor part and 

- using the indicated original value of the destination information field at the application gateway 
part in processing the packets of the redirected packet stream. 

31. (Original) A method according to claim 30, comprising the steps of: 

- within the first packet and all subsequent packets of a certain packet stream that is found to 
contain digital data that pertains to said certain protocol, replacing also an original value of a 
certain source information field with a replacement value that identifies the packet processor part 
as the source of the packets, 

- indicating from the packet processor part to the application gateway part the original value of 
the source information field found in the first redirected packet of a packet stream at the moment 
of intercepting the packet at the packet processor part and 

- using the indicated original value of the source information field at the application gateway part 
in processing the packets of the redirected packet stream. 

32. (Original) A method according to claim 30 or 31, wherein the step of indicating from the 
packet processor part to the application gateway part the original values of certain information 
fields comprises at least one repetition in order to transmit redundant indications from the packet 
processor part to the application gateway part. 
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33. (Original) A method according to claim 29, wherein the packets of an individual packet 
stream belong to an individual TCP connection. 

34. (Currently Amended) A method according to claim 1, comprising,, [[-]] between the steps of 
redirecting the packet to the application gateway part and processing the packet at the application 
gateway part, [[-]] a step of removing from the redirected packet any traces of it having been 
redirected, so that the application gateway part processes the packet as if it had received the 
packet for processing immediately after the packet was intercepted. 

35. (Currently Amended) A method according to claim 34, comprising,, [[-]] after the step of 
processing the packet at the application gateway part, [[-]] the steps of: 

- re-inserting into the processed packet the redirection information that was removed from the 
packet before processing the packet at the application gateway part, so that after the re-inserting 
the packet contains values that identify the application gateway part as the source and the packet 
processor part as the destination of the packet, 

- returning the processed packet from the application gateway part to the packet processor part 
and 

- forwarding such a returned packet from the packet processor part towards an original 
destination that the packet had at the moment of it becoming intercepted. 

36. (Original) A method according to claim 1, comprising the step of: 

- after a certain packet has been redirected from the packet processor part to the application 
gateway part, dynamically establishing a new instruction for the packet processor part regarding 
the redirecting of subsequently arriving packets that have a certain relationship to the packet that 
was redirected from the packet processor part to the application gateway part. 
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37. (Original) A method according to claim 36, comprising the steps of: 

- detecting at the application gateway part that a packet that was redirected from the packet 
processor part to the application gateway part contains data that pertains to a certain control 
channel defined in a protocol that also defines a data channel associated with said control 
channel, 

- establishing a new instruction for the packet processor part to redirect to the application 
gateway part subsequently arriving packets that contain data that pertains to said data channel, 
and 

- communicating the established new instruction from the application gateway part to the packet 
processor part. 

38. (Original) A method according to claim 36, comprising the steps of: 

- detecting that a packet that was redirected from the packet processor part to the application 
gateway part is associated with a certain first port number and contains data that pertains to a 
certain protocol that defines that also a certain second port number should be reserved to said 
certain protocol, and 

- establishing a new instruction for the packet processor part to redirect to the application 
gateway part subsequently arriving packets that are associated with said second port number. 



-13- 

Attorney Docket No. 35997-215657 



Applicants: Ylonen et aL 
Appl.No. 10/020,299 

39. (Original) A method for handling digital data packets at a logical borderline that separates an 
untrusted packet-switched information network from a protected domain, comprising the steps 
of: 

- intercepting, at a packet processor part, a packet that is in transit between the untrusted packet- 
switched information network and the protected domain, 

- examining the packet at the packet processor part in order to determine, whether the packet 
contains digital data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- replacing an original value of a certain destination information field within the packet 
with a replacement value that identifies an application gateway part as the destination of 
the packet, and redirecting the packet to the application gateway part, 

- indicating from the packet processor part to the application gateway part the 
original value of the destination information field found in the packet at the moment of 
intercepting the packet at the packet processor part and 

- using the indicated original value the destination information field at the application 
gateway part in processing the packet according to a set of processing rules based on 
obedience to said certain protocol. 
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40. (Original) A method according to claim 39, additionally comprising the steps of: 

- if the packet is found to contain digital data that pertains to said certain protocol, replacing also 
an original value of a certain source information field within the packet with a replacement value 
that identifies the packet processing part as the destination of the packet before redirecting the 
packet to the application gateway part, 

- indicating from the packet processor part to the application gateway part the original value of 
the source information field found in the packet at the moment of intercepting the packet at the 
packet processor part and 

- using the indicated original value the source information field at the application gateway part in 
processing the packet according to a set of processing rules based on obedience to said certain 
protocol. 
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41. (Original) A method for handling digital data packets at a logical borderline that separates an 
untrusted packet-switched information network from a protected domain, comprising the steps 
of: 

- intercepting, at a packet processor part, a packet that is in transit between the untrusted packet- 
switched information network and the protected domain, 

- examining the packet at the packet processor part in order to determine, whether the packet 
contains digital data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- prepending a header to the packet at the packet processor part, the prepended header 
containing a value that identifies an application gateway part as the destination of the 
packet, and redirecting the packet to the application gateway part, 

- stripping the prepended header from the packet at the application gateway part and 

- using the original value of the destination information field in the packet at the 
application gateway part in processing the packet according to a set of processing rules 
based on obedience to said certain protocol. 

42. (Original) A method according to claim 41, additionally comprising the steps of: 

- if the packet is found to contain digital data that pertains to said certain protocol, inserting into 
the prepended header also a value that identifies the packet processor part as the source of the 
packet before redirecting the packet to the application gateway part, and 

- using the original value of the source information field in the packet at the application gateway 
part in processing the packet according to a set of processing rules based on obedience to said 
certain protocol. 
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43. (Original) A method for handling digital data packets at a packet processing entity located at 
a logical borderline that separates an untrusted packet-switched information network from a 
protected domain, comprising the steps of: 

- intercepting a packet when the packet is in transit between the untrusted packet-switched 
information network and the protected domain, 

- examining the packet in order to determine, whether the packet contains digital data that 
pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processing entity, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- replacing an original value of a certain destination information field within the packet 
with a replacement value that identifies an application gateway part as the destination of 
the packet, 

- redirecting the packet to the application gateway part for processing according to a 
set of processing rules based on obedience to said certain protocol, and 

- indicating to the application gateway part the original value of the destination 
information field found in the packet at the moment of intercepting the packet at the 
packet filtering entity. 

44. (Original) A method according to claim 43, additionally comprising the steps of: 

- if the packet is found to contain digital data that pertains to said certain protocol, replacing an 
original value of a certain source information field within the packet with a replacement value 
that identifies the packet processing entity as the source of the packet before redirecting the 
packet to the application gateway part, and 

- indicating to the application gateway part also the original value of the source information field 
found in the packet at the moment of intercepting the packet at the packet processing entity. 
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45. (Original) A method according to claim 43, additionally comprising the steps of: 

- receiving a packet from the application gateway part after processing according to a set of 
processing rules based on obedience to said certain protocol, 

- restoring the destination information field within the packet to contain the original value that 
was previously replaced with a replacement value that identified the application gateway part as 
the destination of the packet, and 

- releasing the packet towards a destination that is identified by the original value. 

46. (Original) A method according to claim 45, additionally comprising the step of restoring a 
source information field within the packet that was received from the application gateway part to 
contain an original value that was previously replaced with a replacement value that identified 
the packet processor part as the source of the packet. 
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47. (Original) A method for handling digital data packets at a packet processing entity located at 
a logical borderline that separates an untrusted packet-switched information network from a 
protected domain, comprising the steps of: 

- intercepting a packet when the packet is in transit between the untrusted packet-switched 
information network and the protected domain, 

- examining the packet in order to determine, whether the packet contains digital data that 
pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processing entity, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- prepending a header to the packet, the prepended header containing a value that 
identifies an application gateway part as the destination of the packet, and 

- redirecting the packet to the application gateway part for processing according to a 
set of processing rules based on obedience to said certain protocol. 

48. (Original) A method according to claim 47, additionally comprising the step of: 

- if the packet is found to contain digital data that pertains to said certain protocol, 
inserting into the prepended header also a value that identifies the packet processing 
entity as the source of the packet before redirecting the packet to the application gateway 
part. 

49. (Original) A method according to any of claims 1, 39, 41, 43 or 47, wherein the step of 
examining the packet in order to determine, whether the packet contains digital data that pertains 
to a certain protocol, involves handling the packet according to a set of packet filtering rules. 
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50. (Original) A method according to any of claims 1, 39, 41, 43 or 47, wherein the step of 
examining the packet in order to determine, whether the packet contains digital data that pertains 
to a certain protocol, involves checking, whether the packet belongs to a connection or flow all 
packets of which should be redirected to the application gateway part. 

51. (Original) A method for handling digital data packets at an application gateway entity 
located at a logical borderline that separates an untrusted packet-switched information network 
from a protected domain, comprising the steps of: 

- receiving an intercepted and redirected packet from a packet processor part that intercepts 
packets when they are in transit between the untrusted packet-switched information network and 
the protected domain, 

- receiving from the packet processor part an original value of a certain destination information 
field found in the packet at the moment of intercepting the packet at the packet processor part, 
and 

- processing the packet according to a set of processing rules that are based on obedience to said 
certain protocol and take also the original value of the destination information field into account. 

52. (Original) A method according to claim 51, additionally comprising the steps of: 

- receiving from the packet processor part an original value of a certain source information field 
found in the packet at the moment of intercepting the packet at the packet processor part, and 

- processing the packet according to a set of processing rules that are based on obedience to said 
certain protocol and take also the original value of the source information field into account. 
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53. (Original) A system for handling digital data packets at a logical borderline that separates an 
untrusted packet-switched information network from a protected domain, comprising: 

- a packet processor part that is arranged to intercept packets when they are in transit between the 
untrusted packet-switched information network and the protected domain and to examine the 
packets in order to determine, whether the packets contain digital data that pertains to a certain 
protocol, 

- an application gateway part and a communications connection between the packet processor 
part and the application gateway part, 

- at the packet processor part, packet processing means that are arranged to process such packets 
that are not found to contain digital data that would pertain to said certain protocol, 

- at the packet processor part, redirecting means that are arranged to redirect to the application 
gateway part such packets that are found to contain digital data that pertains to said certain 
protocol, and 

- at the application gateway part, application gateway processing means that are arranged to 
process such packets according to a set of processing rules based on obedience to said certain 
protocol that are redirected from the packet processor part to the application gateway part; of 
which the packet processor part is arranged to run as a kernel mode process in a computer device 
and the application gateway part is arranged to run as a user mode process in a computer device. 
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54. (Original) A system according to claim 53, comprising: 

- at the packet processor part, means for replacing an original value of a certain destination 
information field within a packet with a replacement value that identifies the application gateway 
part as the destination of the packet, 

- means for indicating from the packet processor part to the application gateway part the original 
value of the destination information field found in the packet at the moment of intercepting the 
packet at the packet processor part and 

- at the application gateway part, means for using the indicated original value of the destination 
information field at the application gateway part in processing the packet. 

55. (Original) A system according to claim 54, additionally comprising: 

- at the packet processor part, means for replacing an original value of a certain source 
information field within a packet with a replacement value that identifies the packet processor 
part as the source of the packet, 

- means for indicating from the packet processor part to the application gateway part the original 
value of the source information field found in the packet at the moment of intercepting the packet 
at the packet processor part and 

- at the application gateway part, means for using the indicated original value of the source 
information field at the application gateway part in processing the packet. 
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56. (Original) A system according to claim 53, comprising: 

- at the packet processor part, means for prepending a header to a packet, the prepended header 
containing a value that identifies the application gateway part as the destination of the packet, 

- at the application gateway part, means for stripping a prepended header from a packet and 

- at the application gateway part, means for using the original value of the destination 
information field in the packet in processing the packet. 

57. (Original) A system according to claim 56, additionally comprising: 

- at the packet processor part, means for inserting into the prepended header also a value that 
identifies the packet processor part as the source of the packet, and 

- at the application gateway part, means for using the original value of the source information 
field in the packet in processing the packet. 

58. (Original) A system according to claim 53, comprising a single computer device arranged to 
run the packet processor part as a kernel mode process and the application gateway part as a user 
mode process. 

59. (Original) A system according to claim 53, comprising a first computer device arranged to 
run the packet processor part as a kernel mode process and a second computer device, separately 
from said first computer device, arranged to run the application gateway part as a user mode 
process. 

60. (Original) A system according to claim 59, wherein the second computer is arranged to run 
several application gateway parts as simulteneously or alternately active user mode processes. 
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61. (Original) A system according to claim 59, comprising several second computer devices, 
each of which has a communications connection with the first computer device and each of 
which is arranged to run at least one application gateway part as a user mode process. 

62. (Original) A packet processing device for handling digital data packets at a logical borderline 
that separates an untrusted packet-switched information network from a protected domain, 
comprising: 

- packet intercepting means for intercepting packets when they are in transit between the 
untrusted packet-switched information network and the protected domain, 

- packet examining means for examining packets in order to determine, whether they contain 
digital data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain digital data 
that would pertain to said certain protocol, 

- replacing means for replacing, in packets that are found to contain digital data that pertains to 
said certain protocol, an original value of a certain destination information field with a 
replacement value that identifies an application gateway device as the destination of such 
packets, 

- redirecting means for redirecting packets to the application gateway device for processing 
according to a set of processing rules based on obedience to said certain protocol, and 

- signalling means for indicating to the application gateway part the original value of the 
destination information field found in packets at the moment of intercepting the packets at the 
packet filtering device. 
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63. (Original) A packet processing device according to claim 62, wherein: 

- the replacing means are also adapted to replace, in packets that are found to contain digital data 
that pertains to said certain protocol, an original value of a certain source information field with a 
replacement value that identifies the packet processing device as the source of such packets, and 

- the signalling means are also adapted to indicate to the application gateway part the original 
value of the source information field found in packets at the moment of intercepting the packets 
at the packet filtering device. 

64. (Original) A packet processing device for handling digital data packets at a logical borderline 
that separates an untrusted packet-switched information network from a protected domain, 
comprising: 

- packet intercepting means for intercepting packets when they are in transit between the 
untrusted packet-switched information network and the protected domain, 

- packet examining means for examining packets in order to determine, whether they contain 
digital data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain digital data 
that would pertain to said certain protocol, 

- header adding means for prepending, to packets that are found to contain digital data that 
pertains to said certain protocol, a header containing a value that identifies an application 
gateway device as the destination of such packets, and 

- redirecting means for redirecting packets to the application gateway device for processing 
according to a set of processing rules based on obedience to said certain protocol. 
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65. (Original) A packet processing device according to claim 64, wherein: 

- the header adding means are adapted to insert into the header also a value that identifies the 
packet processing device as the source of packets that are found to contain digital data that 
pertains to said certain protocol. 

66. (Original) An application gateway device for handling digital data packets at a logical 
borderline that separates an untrusted packet-switched information network from a protected 
domain, comprising: 

- means for receiving intercepted and redirected packets from a packet processor device that 
intercepts packets when they are in transit between the untrusted packet-switched information 
network and the protected domain, 

- means for receiving from the packet processor device an original value of a certain destination 
information field found in packets at the moment of intercepting the packets at the packet 
processor part, and 

- means for processing packets according to a set of processing rules that are based on obedience 
to said certain protocol and take also the original value of the destination information fields into 
account. 

67. (Original) An application gateway device according to claim 66, additionally comprising 
means for receiving from the packet processor device an original value of a certain source 
information field found in packets at the moment of intercepting the packets at the packet 
processor part, so that the means for processing packets are adapted to process packets according 
to a set of processing rules that are based on obedience to said certain protocol and take also the 
original values of the source and destination information fields into account. 
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68. (Original) A software program product for handling digital data packets at a logical 
borderline that separates an untrusted packet-switched information network from a protected 
domain, comprising: 

- a packet processor program that is arranged to intercept packets when they are in transit 
between the untrusted packet-switched information network and the protected domain and to 
examine the packets in order to determine, whether the packets contain digital data that pertains 
to a certain protocol, 

- an application gateway program arranged to communicate with the packet processor program, 

- at the disposal of the packet processor program, packet processing means that are arranged to 
process such packets that are not found to contain digital data that would pertain to said certain 
protocol, 

- at the disposal of the packet processor program, redirecting means that are arranged to redirect 
to the application gateway program such packets that are found to contain digital data that 
pertains to said certain protocol, and 

- at the disposal of the application gateway program, application gateway processing means that 
are arranged to process such packets according to a set of processing rules based on obedience to 
said certain protocol that are redirected from the packet processor program to the application 
gateway program; 

of which the packet processor program is arranged to run as a kernel mode process in a computer 
device and the application gateway program is arranged to run as a user mode process in a 
computer device. 
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69. (Original) A packet processor software program product for handling digital data packets at a 
logical borderline that separates an untrusted packet-switched information network from a 
protected domain, comprising: 

- packet intercepting means for intercepting packets when they are in transit between the 
untrusted packet-switched information network and the protected domain, 

- packet examining means for examining packets in order to determine, whether they contain 
digital data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain digital data 
that would pertain to said certain protocol, 

- replacing means for replacing, in packets that are found to contain digital data that pertains to 
said certain protocol, an original value of a certain destination information field with a 
replacement value that identifies an application gateway program as the destination of such 
packets, 

- redirecting means for redirecting packets to the application gateway program for processing 
according to a set of processing rules based on obedience to said certain protocol, and 

- signalling means for indicating to the application gateway program the original value of the 
destination information field found in packets at the moment of intercepting the packets at the 
packet filter program. 
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70. (Original) A packet processor software program product according to claim 69, wherein: 

- the replacing means are also adapted to replace, in packets that are found to contain digital data 
that pertains to said certain protocol, an original value of a certain source information field with a 
replacement value that identifies the packet processor program as the source of such packets, and 

- the signalling means are also adapted to indicating to the application gateway program the 
original value of the source information field found in packets at the moment of intercepting the 
packets at the packet filter program. 

71. (Original) A packet processor software program product for handling digital data packets at a 
logical borderline that separates an untrusted packet-switched information network from a 
protected domain, comprising: 

- packet intercepting means for intercepting packets when they are in transit between the 
untrusted packet-switched information network and the protected domain, 

- packet examining means for examining packets in order to determine, whether they contain 
digital data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain digital data 
that would pertain to said certain protocol, 

- header adding means for prepending, to packets that are found to contain digital data that 
pertains to said certain protocol, a header containing a value that identifies an application 
gateway program as the destination of such packets, and 

- redirecting means for redirecting packets to the application gateway program for processing 
according to a set of processing rules based on obedience to said certain protocol. 
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72. (Original) A packet processor software program product according to claim 71, wherein the 
header adding means are adapted to insert, to the header that is prepended to packets that are 
found to contain digital data that pertains to said certain protocol, a value that identifies the 
packet processor program as the source of such packets. 

73. (Original) An application gateway software program product for handling digital data 
packets at a logical borderline that separates an untrusted packet-switched information network 
from a protected domain, comprising: 

- means for receiving intercepted and redirected packets from a packet processor program that 
intercepts packets when they are in transit between the untrusted packet-switched information 
network and the protected domain, 

- means for receiving from the packet processor program an original value of a certain 
destination information field found in packets at the moment of intercepting the packets at the 
packet processor program, and 

- means for processing packets according to a set of processing rules that are based on obedience 
to said certain protocol and take also the original value of the destination information field into 
account. 

74. (Original) An application gateway software program product according to claim 73, 
additionally comprising means for receiving from the packet processor program an original value 
of a certain source information field found in packets at the moment of intercepting the packets at 
the packet processor program, so that the means for processing packets are adapted to process 
packets according to a set of processing rules that are based on obedience to said certain protocol 
and take also the original values of the source and destination information fields into account. 
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